-2- 



AMENDMENTS TO THE CLAIMS 
Amended claims follow: 

1 . (Currently Amended) A computer program product embodied on a tangible 
computer readable medium operable to detect malicious computer program activity, 
comprising: 

logging code operable to log a stream of external program calls; 

primary set identifying code operable to identify, within said stream of external 
program calls, a primary set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of rules; 

secondary set identifying code operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls; and 

modifying code operable to modify said set of rules such that said at least one 
secondary set of one or more external program calls are more strongly associated with 
malicious computer program activity; 

wherein one of said at least one secondary set of one or more external program 
calls precedes said primary set of one or more external program calls within said stream 
of external program calls: 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls, said new rule thereafter being used 
in addition to other rules within said set of rules . 

2. (Cancelled) 

3. (Original) A computer program product as claimed in claim 1, wherein said 
external program calls are application program interface calls to an operating system. 
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4. (Original) A computer program product as claimed in claim 1, wherein each of 
said external program calls has one or more characteristics compared against said set of 
rules. 

5. (Original) A computer program product as claimed in claim 4, wherein said one 
or more characteristics include: 

a call name; 

a return address; 

one or more parameter values; 

and one or more returned results. 

6. (Original) A computer program product as claimed in claim 1 , wherein rules 
within said set of rules specify score values of external program calls having 
predetermined characteristics and a set of one or more external program calls is identified 
as corresponding to malicious computer program activity if said set of one or more 
external program calls has a combined score value exceeding a threshold level. 

7. (Previously Presented) A computer program product as claimed in claim 6, 
wherein score values within a set of rules associated with said secondary set of one or 
more external program calls are increased to more strongly associate said secondary set 
of external program calls with malicious computer program activity. 

8. (Original) A computer program product as claimed in claim 1 , wherein said set of 
rules include at least one of: 

one or more pattern matching rules; and 
one or more regular expression rules. 

9. (Original) A computer program product as claimed in claim 1, wherein said set of 
rules are responsive to ordering of external program calls. 
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1 0. (Original) A computer program product as claimed in claim 1 , wherein said 
modifying code dynamically adapts said set of rules in response to detected streams of 
external program calls performing malicious computer program activity. 

1 1 . (Currently Amended) A computer program product as claimed in claim 1, 
wherein at least changes within said set of rules are transmitted to one or more remote 
computers such that said one or more remote computers can use said modified set of rules 
without having to suffer said malicious computer program activity. 

12. (Original) A computer program product as claimed in claim 1 , wherein changes 
within said set of rules are transmitted to a rule supplier. 

13. (Original) A computer program product as claimed in claim 1 , wherein said 
stream of external program calls are logged following emulation of execution of a 
computer program. 

14. (Cancelled) 

15. (Original) A computer program product as claimed in claim 1, comprising starting 
point identifying code operable to identify a starting point of malicious computer 
program activity within said stream of external program calls. 

1 6. (Original) A computer program product as claimed in claim 1 5, wherein said 
starting point corresponds to one of: 

starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

1 7. (Original) A computer program product as claimed in claim 1 , wherein said set of 
rules is subject to a validity check after modification to determine if said set of rules is 
more effectively detecting malicious computer program activity. 

/ 
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1 8. (Currently Amended) A method of detecting malicious computer program 
activity, said method comprising the steps of: 

logging a stream of external program calls; 

identifying within said stream of external program calls a primary set of one or 
more external program calls matching one or more rules indicative of malicious computer 
program activity from among a set of rules; 

identifying within said stream at least one secondary set of one or more external 
program calls associated with said primary set of one or more external program calls; and 

modifying said set of rules such that said at least one secondary set of one or more 
external program calls are more strongly associated with malicious computer program 
activity; 

wherein one of said at least one secondary set of one or more external program 
calls precedes said primary set of one or more external program calls within said stream 
of external program calls: 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls, said new rule thereafter being used 
in addition to other rules within said set of rules . 

19. (Cancelled) 

20. (Original) A method as claimed in claim 18, wherein said external program calls 
are application program interface calls to an operating system. 

21 . (Original) A method as claimed in claim 18, wherein each of said external 
program calls has one or more characteristics compared against said set of rules. 

22. (Original) A method as claimed in claim 2 1 , wherein said one or more 
characteristics include: 

a call name; 
a return address; 

one or more parameter values; and 
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one or more returned results. 

23. (Original) A method as claimed in claim 1 8, wherein rules within said set of rules 
specify score values of external program calls having predetermined characteristics and a 
set of one or more external program calls is identified as corresponding to malicious 
computer program activity if said set of one or more external program calls has a 
combined score value exceeding a threshold level. 

24. (Previously Presented) A method as claimed in claim 23, wherein score values 
within a set of rules associated with said secondary set of one or more external program 
calls are increased to more strongly associate said secondary set of external program calls 
with malicious computer program activity. 

25. (Previously Presented) A method as claimed in claim 18, wherein said set of rules 
include at least one of: 

one or more pattern matching rules; and 
one or more regular expression rules. 

26. (Original) A method as claimed in claim 1 8, wherein said set of rules are 
responsive to ordering of external program calls. 

27. (Original) A method as claimed in claim 18, wherein said step of modifying said 
set of rules dynamically adapts said set of rules in response to detected streams of 
external program calls performing malicious computer program activity. 

28. (Currently Amended) A method as claimed in claim 18, wherein at least changes 
within said set of rules are transmitted to one or more remote computers such that said 
one or more remote computers can use said modified set of rules without having to suffer 
said malicious computer program activity. 
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29. (Original) A method as claimed in claim 18, wherein changes within said set of 
rules are transmitted to a rule supplier. 

30. (Original) A method as claimed in claim 18, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 

31. (Cancelled) 

32. (Original) A method as claimed in claim 18, comprising identifying a starting 
point of malicious computer program activity within said stream of external program 
calls. 

33. (Original) A method as claimed in claim 32, wherein said starting point 
corresponds to one of: starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

34. (Original) A method as claimed in claim 18, wherein said set of rules is subject to 
a validity check after modification to determine if said set of rules is more effectively 
detecting malicious computer program activity. 

35. (Currently Amended) A data processing apparatus operable to detect malicious 
computer program activity, said apparatus comprising: 

logging logic operable to log a stream of external program calls; 

primary set identifying logic operable to identify, within said stream of external 
program calls, a primary set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of rules; 

secondary set identifying logic operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls; and 
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modifying logic operable to modify said set of rules such that said at least one 
secondary set of one or more external program calls are more strongly associated with 
malicious computer program activity; 

wherein one of said at least one secondary set of one or more external program 
calls precedes said primary set of one or more external program calls within said stream 
of external program calls; 

wherein said set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls, said new rule thereafter being used 
in addition to other rules within said set of rules . 

36. (Cancelled) 

37. (Original) An apparatus as claimed in claim 35, wherein said external program 
calls are application program interface calls to an operating system. 

38. (Original) An apparatus as claimed in claim 35, wherein each of said external 
program calls has one or more characteristics compared against said set of rules. 

39. (Original) An apparatus as claimed in claim 38, wherein said one or more 
characteristics include: 

a call name; 
a return address; 

one or more parameter values; and 
one or more returned results. 

40. (Original) An apparatus as claimed in claim 35, wherein rules within said set of 
rules specify score values of external program calls having predetermined characteristics 
and a set of one or more external program calls is identified as corresponding to 
malicious computer program activity if said set of one or more external program calls has 
a combined score value exceeding a threshold level. 
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41 . (Previously Presented) An apparatus as claimed in claim 40, wherein score values 
within a set of rules associated with said secondary set of one or more external program 
calls are increased to more strongly associate said secondary set of external program calls 
with malicious computer program activity. 

42. (Original) An apparatus as claimed in claim 35, wherein said set of rules include 
at least one of: 

one or more pattern matching rules; and 
one or more regular expression rules. 

43. (Original) An apparatus as claimed in claim 35, wherein said set of rules are 
responsive to ordering of external program calls. 

44. (Original) An apparatus as claimed in claim 35 wherein said modifying logic 
dynamically adapts said set of rules in response to detected streams of external program 
calls performing malicious computer program activity. 

45. (Currently Amended) An apparatus as claimed in claim 35, wherein at least 
changes within said set of rules are transmitted to one or more remote computers such 
that said one or more remote computers can use said modified set of rules without having 
to suffer said malicious computer program activity. 

46. (Original) An apparatus as claimed in claim 35, wherein changes within said set 
of rules are transmitted to a rule supplier. 

47. (Original) An apparatus as claimed in claim 35, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 



48. (Cancelled) 
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49. (Original) An apparatus as claimed in claim 35, comprising starting point 
identifying logic operable to identify a starting point of malicious computer program 
activity within said stream of external program calls. 

50. (Original) An apparatus as claimed in claim 49, wherein said starting point 
corresponds to one of; starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

5 1 . (Original) An apparatus as claimed in claim 35, wherein said set of rules is 
subject to a validity check after modification to determine if said set of rules is more 
effectively detecting malicious computer program activity. 

52. (Previously Presented) A computer program product as claimed in claim 1, further 
comprising applying high level rules to the modified set of rules, and promoting said 
modified set of rules from a temporary set to a permanent set based on the application of 
the high level rules to the modified set of rules. 

53. (Previously Presented) A computer program product as claimed in claim 1, further 
comprising determining whether said modified set of rules decrease malicious network 
traffic, and promoting said modified set of rules from a temporary set to a permanent set 
if it is determined that said modified set of rules decrease said malicious network traffic. 

54. (New) A computer program product as claimed in claim 1 , further comprising 
promoting code operable to determine whether said modified set of rules slows malware 
propagation, and to promote said modified set of rules from a temporary set to a 
permanent set if it is determined that said modified set of rules slows said mal ware 
propagation. 



